Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Editing the OCSP Responder Service

The Online Certificate Status Protocol (OCSP) can be used to provide online certificate status information for the end entities within the PKI. OCSP can be seen as a replacement for CRL, and it may be a more appropriate method in environments where signatures of individual transactions need to be validated with up-to-date revocation information.

The OCSP Responder Service of SSH Tectia Certifier can be used to answer clients' status requests concerning one or more of the Certifier CAs. Currently the OCSP responder can provide status information only for those certificates that are issued by CAs that are managed within the Certifier installation.

Basic Settings

Service description is a free-form description of the Service and its function.

Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.

Service bind address is an HTTP URL, since OCSP uses HTTP as a transport mechanism.

Figure : Editing the OCSP Responder Service configuration

Allowed Operations

If the check box under Allowed operations is selected, an OCSP client can request status information without signing the request.

Certificate Settings

The OCSP responder needs to have a private key and a certificate, so that end entities can validate the signed OCSP responses. Once the OCSP Responder Service is created, the private key is generated and the responder certificate enrolled. Select the CA from which the OCSP responder certificate is enrolled using the Responder CA field.

The validity period included in the certification request can be selected using the Validity period length field.

The length of the OCSP responder private key (measured in number of bits used) can be chosen with the Key size option.

External URL

External URL address is the URL that will be included in the authority information extension field of the issued end-entity certificates, if the extension is included in the CA policy. End entities will use this field to connect to the OCSP responder. This definition can be left empty, in which case the Service bind address field is used as a default value. However, please note that this address must be accessible from all clients using OCSP, so a different address might be wanted here.

Certificate Status

Once the certificate for the Service has been enrolled, Certificate status shows its status, and the certificate can be viewed by clicking View Certificate.

Commiting Changes

Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.

PreviousNextUp[Front page] [Index]


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more